Add GlobalPlatform API client library (libteec) and example app (optee_gp)

[gpoulios]

Summary

Note

Will keep this a draft until apache/nuttx#16356 is merged, as the current driver is not fully compatible with the GP API. apache/nuttx#16356 also introduces the necessary nxstyle whitelisting for this one to pass the CI checks.

This PR addresses the following:

1. examples/optee: Fixes usage of some fields during shared memory registration in the existing OP-TEE example
   • Previous version of optee example was using id during shm registration as input whereas it is an output variable. It was also specifying flags to dictate the behaviour whereas the latest implementation of the driver prohibits their use.
2. tee/libteec: Adds the libteec library into NuttX-Apps
   • Downloads optee_client, patches libteec to work with NuttX, and adds it as a static library. Defaults to version 4.6.0.
3. examples/optee_gp: Adds an example app making use of GlobalPlatform TEE client API (libteec)
   • The app opens a session with the OP-TEE built-in pseudo TA "devices", and invokes a command to enumerate available devices on the secure world OS. It demonstrates use of NULL memrefs, temporary shared memory, and registered shared memory.

Impact

Adds support for communicating with TEEs using the familiar GP API.

No impact to existing users.

Testing

Tested on a NXP i.MX93 EVK running:

• TF-A: version v2.10.0, tag lf-6.6.52_2.2.0

• OP-TEE OS: revision 4.4 (60beb308810f9561), tag lf-6.6.52_2.2.0

• NuttX PR: Fix OP-TEE driver compatibility issues nuttx#16356

• NuttX configs imx93-evk:nsh and imx93-evk:knsh with additional config:

  CONFIG_ALLOW_BSD_COMPONENTS=y
  CONFIG_ARCH_VMA_MAPPING=y
  CONFIG_ARCH_SHM_NPAGES=4096
  CONFIG_ARCH_SHM_VBASE=0xFF000000
  CONFIG_DEV_OPTEE_SMC=y
  CONFIG_EXAMPLES_OPTEE=y
  CONFIG_EXAMPLES_OPTEE_GP=y
  CONFIG_FS_SHMFS=y
  CONFIG_LIBC_MEMFD_SHMFS=y
  CONFIG_LIBTEEC=y
  

• Logs

  [...]
  OP-TEE: OS revision 4.4 (60beb308810f9561)
  
  NuttShell (NSH)
  nsh> optee
  impl id: 1, impl caps: 1, gen caps: 13
  Available devices:
    d96a5b40-c3e5-21e3-8794-1002a5d5c61b
    f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c
  
  nsh> optee_gp
  INF [6] TEEC:optee_gp_main:159: Available devices:
  INF [6] TEEC:optee_gp_main:169:   d96a5b40-c3e5-21e3-8794-1002a5d5c61b
  INF [6] TEEC:optee_gp_main:169:   f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c
  

  [...]
  OP-TEE: OS revision 4.4 (60beb308810f9561)
  
  NuttShell (NSH)
  knsh> optee
  impl id: 1, impl caps: 1, gen caps: 13
  Available devices:
    d96a5b40-c3e5-21e3-8794-1002a5d5c61b
    f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c
  
  knsh> optee_gp
  INF [6] TEEC:main:159: Available devices:
  INF [6] TEEC:main:169:   d96a5b40-c3e5-21e3-8794-1002a5d5c61b
  INF [6] TEEC:main:169:   f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c
  

[xiaoxiang781216]

* NuttX configs `imx93-evk:nsh` and `imx93-evk:knsh` with additional config:
  ```
  CONFIG_ALLOW_BSD_COMPONENTS=y
  CONFIG_ARCH_VMA_MAPPING=y
  CONFIG_ARCH_SHM_NPAGES=4096
  CONFIG_ARCH_SHM_VBASE=0xFF000000
  CONFIG_DEV_OPTEE_SMC=y
  CONFIG_EXAMPLES_OPTEE=y
  CONFIG_EXAMPLES_OPTEE_GP=y
  CONFIG_FS_SHMFS=y
  CONFIG_LIBC_MEMFD_SHMFS=y
  CONFIG_LIBTEEC=y
  ```

@gpoulios let's create new defconfig to enable optee, so ci could check no change will break optee in the future.

[xiaoxiang781216]

do you plan to port optee_test too? @gpoulios

[gpoulios]

do you plan to port optee_test too? @gpoulios

Not any time soon. Perhaps in the future.

[cederom]

Thank you @gpoulios :-)

Is the name tee/ correct, shouldn't it be optee/? I can see we use already OPTEE name in NuttX and the OP-TEE project uses optee_ suffix :-)

Can we please move optee/ under some existing group/category to keep things clean i.e. system/optee?

This will be initial commit so some words of introduction would be nice to put into a commit - for instance what is this library, whers is the homepage and documentation, etc + some info in the src headers so newcomers will know what this is :-)

Mixed case identifiers comes from the library API so we need to accept that.

[gpoulios]

Is the name tee/ correct, shouldn't it be optee/?

The directory is named tee/ because there might be some other implementation in the future (e.g. libamdteec or whatever). It also comes from the fact that the specification is not OPTEE specific. @cederom Do you still want me to rename it?

Can we please move optee/ under some existing group/category to keep things clean i.e. system/optee?

I considered that but then I thought, it’s not exactly a system thing, right? Just didn’t fit alongside the other packages under system/. But if you want it there, sure.

This will be initial commit so some words of introduction would be nice to put into a commit - for instance what is this library, whers is the homepage and documentation, etc

You mean put this info on the commit message of the commit introducing libteec?

• some info in the src headers so newcomers will know what this is :-)

You lost me here, can you show me an example please? There are no header files introduced by us. Only the library’s (downloaded) headers.

As for new comers, if they have any aspirations to write an OPTEE client app in NuttX, I’m pretty sure they know already those things, but sure I can put a few links here and there.

Mixed case identifiers comes from the library API so we need to accept that.

Yes, whitelisting is in the NuttX PR i mentioned in the description.

[cederom]

Thanks @gpoulios, lets keep the top level tee/ then, we just need some short description and references in the help and source files to the standard so people know what this is :-)

The note I mentioned was to put a brief description of what "TEE" is and URL reference to the standard in the Kconfig help and/or top part of the source files ("file header" in terms of location) so its fast to know that these files are :-)

Lets keep things self-explanatory :-)

[cederom]

Thank you @gpoulios :-)

[gpoulios]

One check should pass now that apache/nuttx#16356 is merged.

The other failing check (msys), I don’t quite understand.

Can someone re-trigger those please? @xiaoxiang781216 perhaps? Thanks

[xiaoxiang781216]

One check should pass now that apache/nuttx#16356 is merged.

The other failing check (msys), I don’t quite understand.

Can someone re-trigger those please? @xiaoxiang781216 perhaps? Thanks

Done, but you can update the patch to retrigger ci too.

[gpoulios]

Done, but you can update the patch to retrigger ci too.

Thank you @xiaoxiang781216. I know, I just didn’t want to lose the approvals or rerun it from scratch.